Navigator bug exposes browser history
Netscape confirms the existence of a bug that lets a malicious Web site operator find out where a victim has been surfing.
The bug makes users' browser cache vulnerable to a JavaScript exploit posted to the Web by programmer Dan Brumleve.
"This is a privacy bug that lets a malicious Web site get the URLs that are contained in the current cache," said Netscape product manager Eric Byunn. "There is a privacy implication in that the site can find out what sites you've visited in the recent past."
Byunn said that, pending the arrival of a fix this week, Navigator users could protect themselves against the bug by setting their browser cache size, under "preferences," to zero. Netscape will post the fix to its Web site and also include it in the shipping version of Communicator 4.5, the company's Internet software suite that includes Navigator.
Byunn also acknowledged the possibility that the exploit could be carried out by sending Web-based email to a Navigator user, and that a similar exploit could expose information about recent Web searches the user carried out. But he said Netscape had only verified the bug as it affects surfing history of those visiting a hostile Web site.
The coming fix will cover all those potentialities, Byunn said.
"We're working on a fix that would prevent this kind of information from being transmitted to a Web site, particularly for this class of privacy bug," he said.
The exploit posted by Brumleve relies on a JavaScript window to swipe the cached surfing history. JavaScript is a scripting language, developed by Netscape, for Web features such as forms and pop-up windows. It is unrelated to Java, a programming language developed by Sun Microsystems.
To gauge the seriousness of the threat to their own personal privacy, Navigator users can view the contents of their present cache by entering "about:cache" into their browser address bar. More information about surfing history can be found by entering "about:global."
Richard M. Smith, president of Phar Lap Software, said the security hole, first reported by the New York Times, not only could be exploited to expose searching history and executed via Web-based email, but also could reveal Web site passwords, depending on whether sites include those passwords in their URLs.
Smith, who posted his findings to the newsgroup "comp.lang.javascript," warned that users should not go through with Brumleve's demonstration because it would compromise their private information.
"I've tested it," Smith said. "It works."